From fccb48b286dcfc07f86d3e376829086294dfd978 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 13 Dec 2018 18:35:06 +0100 Subject: [PATCH] logind: only apply ACLs for device currently tagged with "uaccess" This is about security, hence let's be particularly careful here: only devices currenlty tagged with "uaccess" will get ACL management, and it's not sufficient if they once were (though that is used for filtering). --- src/login/logind-acl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/login/logind-acl.c b/src/login/logind-acl.c index 76af208af1a..5b75d8f3621 100644 --- a/src/login/logind-acl.c +++ b/src/login/logind-acl.c @@ -195,6 +195,10 @@ int devnode_acl_all(const char *seat, FOREACH_DEVICE(e, d) { const char *node, *sn; + /* Make sure the tag is still in place */ + if (sd_device_has_current_tag(d, "uaccess") <= 0) + continue; + if (sd_device_get_property_value(d, "ID_SEAT", &sn) < 0 || isempty(sn)) sn = "seat0"; -- 2.47.3